Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreiayxblkwprmgjor4cm7lobghidjjbzy6fwvwizp625hlw6rgg6iiy",
    "uri": "at://did:plc:pgryn3ephfd2xgft23qokfzt/app.bsky.feed.post/3mkfw73gd3si2"
  },
  "path": "/t/securereview-teaching-llms-to-read-code-like-a-senior-engineer/175575#post_1",
  "publishedAt": "2026-04-26T15:23:14.000Z",
  "site": "https://discuss.huggingface.co",
  "tags": [
    "SecureReview - a Hugging Face Space by sam25kat",
    "SecureReview GRPO Trainer - a Hugging Face Space by sam25kat",
    "SecureReview Trainer — Migration - a Hugging Face Space by sam25kat",
    "SecureReview Trainer — IaC - a Hugging Face Space by sam25kat",
    "GitHub - sam25kat/Secure_Reveiw · GitHub"
  ],
  "textContent": "**# SecureReview: Teaching LLMs to Read Code Like a Senior Engineer**\n\n_*Draft for HuggingFace blog · OpenEnv Hackathon submission, India 2026*_\n\n-–\n\n**## The problem**\n\nEvery existing OpenEnv environment tests the same skill — _*can the agent_ ****do**** _something?*_ Play a game, navigate a grid, call a tool, write an answer.\n\nBut there’s a different skill that matters more for the world we’re heading into: ****can the agent read what’s already there, and spot what will break in production?****\n\nCode review. Migration safety. Infrastructure misconfigurations. Vulnerable dependencies. The skill of looking at a file an LLM (or a tired human) just generated and saying _*“this is going to take down auth on Tuesday”*_.\n\nThat’s what ****SecureReview**** is — an OpenEnv environment that turns security review into a measurable RL task.\n\n**## The environment**\n\nThree review domains, all wired into the same FastAPI / Gym-style harness:\n\n| Task | What the agent sees | What it has to find |\n\n|—|—|—|\n\n| `dependency_review` | `package.json`, `requirements.txt` | Vulnerable / typosquatted / hallucinated packages |\n\n| `migration_review` | SQL migration scripts | Hot-row contention, RLS gaps, partition pruning, MVCC bloat |\n\n| `iac_review` | Terraform, K8s YAML, Dockerfile, docker-compose, GitHub Actions | Public S3, hardcoded secrets, privileged containers, IAM wildcards |\n\n****60+ hand-curated scenarios**** across the three domains. Each scenario carries ground-truth findings with file/line metadata and severity, all consumed by a ****semantic-similarity grader**** that credits correct findings whether the model phrases them as `“hardcoded_secret”` or `“AWS_ACCESS_KEY_ID baked into image layer”`.\n\n**## The training**\n\nWe ran the ****canonical industry-standard hybrid pipeline**** : SFT warmup on the env’s ground-truth findings, then GRPO refinement against the live grader. Same recipe DeepSeek-R1, Qwen-RL, and OpenAI’s post-training stack use.\n\n| Task | Baseline | Trained | Δ | Wins |\n\n|—|—|—|—|—|\n\n| Dependency | `0.083` | `0.385` | ****+0.302**** | 20/24 |\n\n| Migration | `0.170` | `0.465` | ****+0.295**** | 10/12 |\n\n| IaC | `0.177` | `0.303` | ****+0.126**** | 6/13 |\n\nAverage ****+0.24 mean reward lift**** , individual scenarios gaining as much as ****+0.91****. Each task trains in ****under 30 seconds**** on a single Hugging Face GPU credit.\n\n**## Why this is interesting**\n\n****The reward signal is dense by design.**** Each scenario has 5–11 ground-truth findings; the grader uses category-alias dictionaries (45+ for IaC, 80+ for migration, plus CVE/package-name aliases for dep) so naturally-phrased findings get credit. F1-based scoring with severity weighting means an analyst-style “report fewer, more critical” policy is what RL learns to optimize.\n\n****The same env scales from 1.5B to 14B.**** Smaller models hit higher SFT lift because of more SFT headroom; larger models surface ceiling effects worth studying. Both are _*features*_ the env exposes. Multi-scale runs are a one-click reproduce.\n\n****It’s a real benchmark, not a toy.**** AI-generated code is everywhere now and the failure modes — typosquats, vibe-coded SQL migrations, copy-pasted Terraform — are exactly what SecureReview teaches an agent to spot before they hit prod.\n\n**## Try it**\n\n- ****Env**** : [ SecureReview - a Hugging Face Space by sam25kat ]( SecureReview - a Hugging Face Space by sam25kat )\n\n- ****Trainers**** (one-click reproduce):\n\n- [securereview-trainer]( SecureReview GRPO Trainer - a Hugging Face Space by sam25kat ) (dep)\n\n- [securereview-trainer-migration]( SecureReview Trainer — Migration - a Hugging Face Space by sam25kat )\n\n- [securereview-trainer-iac]( SecureReview Trainer — IaC - a Hugging Face Space by sam25kat )\n\n- ****Code**** : [ GitHub - sam25kat/Secure_Reveiw · GitHub ]( GitHub - sam25kat/Secure_Reveiw · GitHub )\n\nClick “Run Training” on any trainer Space — full SFT->GRPO hybrid pipeline, training Loss + Before/After plots, ****all in one click****.\n\n-–\n\n**Built for the OpenEnv Hackathon 2026 (India). Submission round 2.*\n\n~The Cook House.*",
  "title": "SecureReview: Teaching LLMs to Read Code Like a Senior Engineer"
}